
FIGURE 14 



■5*1 



MN receives agent advertisement 
from Mobility Agent (MA) indicating 
that mobile node should obtain IP 
address from DHCP server and ([SEpE FIG. 7) 

determines from agent 
advertisement that the MN is in 
different zone from the MA 



/Shared Key generated 

( and provided to MA L_ y / U 

V andMN J ^ } 



1 

MN pe 
DHCPc 
and obi 
addres 
DHCP 


f 

rforms 
Jiscover 
tains IP 
sfrom 
server 


1 


f 


Mobile node views 
MA as HA and 
attempts to send 

registration 
request to the MA 



(SEE FIG. 8) 



id 




MA constructs RADIUS access 
^request including an ^authentication 

attribute including authentication 
" information from the MN-AAA 
I extension and a 2) key request 
I attribute requesting that HAAA set up 
» key to be shared by MA and MN 



"4 



Hi 

I* 

O 
u 



MA send access 
request to FAAA 



FAAA sends the 
access request to " 
HAAA 



HAAA 
authenticates the , 
mobile node using 
the authentication 
information 




(Registration 
request Y 
authenticated^ 



(SEE FIG. 9) 



32- 



3lU 



haaa generates a Key to oe 
shared by MA and MN and 

encrypts 1) MA key using 
HAAA-FAAA key and 2) MN 

key using HAAA-MN key 
(pre-configured.) 



•3& 



MA key and MN 
key provided in 
attribute in access 
accept message 



(SEE FIG. 10) 



HAAA sends 
access accept 
message to FAAA 



-S30 



FAAA decrypts 
MA key (optionally 
encrypts using 
FAAA-MA key) 



FAAA forwards 
access accept to 
MA 



-332 



r}3 



MA obtains MA 
key from access 
accept packet, 
decrypts MA key, 
stores MA key 



MN receives 
registration reply 



±_£1 



MN obtains the 
MN keyfrom the 
registration reply 



-2S0 



MN decrypts the 
MN key and stores 
the MN key 



Mr? 
frepl 



■3SZ 



authenticates the registration 
reply (MN verifies MN-MA shared 
key) 



iori 

9 



MN runs hash 
algorithm using 
the MN key to 
obtain hash of 
registration reply 



mn ootains nasn 
of reply from 
MHAEofthe 
registration reply 
(built using MA 
tea 



;ompares I " 



MA obtains MN 
keyfrom access 
accept packet 



r 



3C° 



Send RADIUS 
access reject 



MA composes registration reply packet 
indicating MN needs to re-register with 
key provided in the registration repiy 
packet and having MN-MA key reply 
extension including the MN key and a 
MHAE extension including a hash of 
MA key (SEE Flfc. 1 



izl 



MA sends the 
registration reply 
packet to MN 



FIG. 116) 



mN obmpS 
hash of reply built 
using MN key and 
MA key to ensure 
MN and MA share 
same Key 



1 cSjoQ 

N re-registers^ 



[ using key the MN- 
i shared ke^ 



1A& 



MN re-registers 
with the MA with 
the new MN key 



(SEE FIG. 12) 



FIG. 3 



-4^ 



MN receives agent advertisement 
from Mobility Agent (MA) indicating 

that mobile node should obtain IP 
address via the MA and determines 

from agent advertisement that the 
MN is in different zone from the MA 



I 



(SEE FIG. 7) 



iwooiie node 
composes 
registration 
request and sends 
registration 
requesnPM 



-t|oM 

(SEE FIG. 13) 



(MA inair e ctly 
authenticates y 
registration J 
— recmest — 



— MA constructs radius access — 
request including an 1) authentication 
& attribute including authentication 
«s information from the MN-AAA 
^extension, a 2) key request attribute 
^questing that HAAA set up key to be 
Shared by MA and MN, and 3) VSE - 

n inditing that FAAA tn assign HA 



fU 
=5 



J* 

m 
i* 



SEE FIG. 14) 



MA send access 
request to FAAA 



-mo 



FAAA obtains VSE 

and sends the 
access request to ' 
HAAA 



HAAA 
authenticates the 
mobile node using 
the authentication 
information 




No-> 



Send RADIUS 
access reject 



_ Yes rj 
Registration " 

request 
authenticated 



(Shared key generated J t~ ^ 
and provided to MA 
and MN J ^ 



haaa generates a Key to oe 
shared by MA and MN and 

encrypts 1) MA key using , 
HAAA-FAAA key and 2) MN . ~ (J ?l j 

key using HAAA-MN key 
(pre-configured) 



Encrypted MA key and v 
encrypted MN key provided- X\l i $ 
in attributes 1 , 2 of access 
accept message 



HAAA sends 
access accept 
message to FAAA 



MN receives 
registration reply 



MN obtains the 
MN keyfrom the 
registration reply 



D 



FAAA selects one of local 
HAs (inc. MA) and provides 

assigned HA in vendor 
specific attribute 3 in access 

jgg (SFF HlG. ljs> 



Ml 



FAAA decrypts 
MA key (optionally 
encrypts using 
FAAA-MA key) 



FAAA forwards 
access accept to 
MA 



T 



ma ootains ivia 
key from access 
accept packet, 
decrypts MA key, 
caches MA key for 
a period of time 



Mm 



Mil 



MN decrypts the 
MN key and stores 
the MN key 



MN" 

frepl; 



authenticates the registrar 
reply (MN verifies MN-MA shared 
key) 



idn 
red} 



MN runs hash 
algorithm using 
the MN key to 
obtain hash of 
registration reply 



MA obtains MN 
key from access 
accept packet 



Mil 



/KM 



MN obtains hash 
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